HomeGuidesIdentity & Access › IS-18B
IS-18B Identity & Access 8% of OML score

Is multi-factor authentication (OTP, app, hardware key) used where possible for system access?

Are you using a second verification step (like an OTP code, an authenticator app, or a physical security key) when people log into critical systems, not just passwords? This question asks whether you have added this extra security layer to protect against password theft or guessing.

Why This Matters to Your Business

If someone steals an employee's password—through phishing, a data breach, or social engineering—they can walk straight into your systems without the second check. In 2023, an Indian textile export company lost ₹2.5 crore when attackers compromised an accountant's email password and diverted payments to fake vendor accounts; MFA would have blocked them at login. Customers and auditors increasingly demand MFA proof before giving you contracts or compliance certifications. Without it, you risk regulatory penalties under DPDP Act, failed customer audits, and operational shutdown if ransomware reaches your financial systems.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You walk in and employees log into email, accounting software, and servers using only a username and password. No second verification step exists anywhere, and there is no plan to add one.

Level 1
Initial

You find that MFA is technically available in some systems (like Google Workspace or bank portals) but is disabled or optional; most employees do not use it. Only the owner or one person uses MFA as a personal habit, not as a business requirement.

Level 2
Developing

MFA is mandatory for email and accounting software, and 60–70% of staff use it (often SMS OTP). Critical systems like servers or databases do not have MFA, and enforcement is spotty for remote or contract workers.

Level 3
Defined

MFA is mandatory for all cloud applications (email, accounting, CRM, file storage) and email logins are enforced; about 80–90% of staff comply. Servers and databases have MFA for administrative access, but not for all systems, and you have a written policy requiring it.

Level 4
Managed

All critical systems (email, accounting, file storage, servers, databases, VPN) require MFA; compliance is 95%+. You use a mix of OTP, authenticator apps, and hardware keys; you audit MFA usage monthly and investigate bypasses. You have a formal access policy and exceptions are documented.

Level 5
Optimised

MFA is mandatory across all systems and all user types (employees, contractors, admins, API accounts). You use hardware security keys where possible, monitor MFA adoption in real-time via dashboards, and have zero-trust architecture that re-verifies identity on sensitive actions. Annual security review and staff training keep MFA strong; you track and trend MFA bypass attempts and blocked login threats.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Enable MFA on at least one critical system (email or cloud accounting tool); send staff a one-page guide on how to set up OTP on their phone or use the built-in authenticator app. IT Admin or Business Owner (if no IT person) 2–3 days
1 → 2 Make MFA mandatory for email and accounting software; send a deadline notice (30 days) and train staff in a team meeting or short video; audit who has complied after the deadline. IT Admin with support from HR or Operations Manager 1–2 weeks
2 → 3 Create a written access policy requiring MFA for all cloud and remote access; extend MFA to server/database admin accounts; set up a simple tracking sheet (or use your system's native audit log) to confirm compliance monthly. IT Admin with input from Finance and Compliance (or external consultant if needed) 2–4 weeks
3 → 4 Deploy hardware security keys (YubiKeys or similar) to all admins and finance staff; integrate MFA into your IT onboarding checklist; build a dashboard or automated report to track MFA status and flag non-compliance within 48 hours. IT Admin with budget approval from management 6–8 weeks
4 → 5 Implement conditional access rules (e.g., re-verify identity if login is from a new location or device); introduce MFA for API and service accounts; conduct annual penetration testing to verify MFA cannot be bypassed; update staff training and policy annually. Senior IT staff (may need external security consultant) with CEO sign-off Ongoing (quarterly policy review, semi-annual penetration tests)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Screenshot or report from your email or accounting system showing MFA is enabled for all users (e.g., Microsoft 365 Admin Center MFA report or Google Workspace security settings)
  • Written access control policy or procedure document that states which systems require MFA and how to set it up
  • Monthly or quarterly MFA compliance audit report (e.g., a spreadsheet or system-generated log listing users and their MFA status)
  • Training record or email (sent to staff) with instructions on how to enable MFA and which apps are approved (e.g., Google Authenticator, Microsoft Authenticator, Authy, YubiKey)
  • Incident log or bypass exception document showing any cases where MFA was disabled, why, and when it was re-enabled
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me your policy on multi-factor authentication? Which systems require it, and which employee roles must use it?"
  • "Walk me through how a new employee sets up MFA on their first day. Who trains them, and how do you verify they have completed it?"
  • "What is your current MFA adoption rate? How many users have it enabled, and how do you track non-compliance?"
  • "What happens if an employee loses their phone or their OTP app stops working? How do you handle account recovery without bypassing MFA entirely?"
  • "Do you use MFA for administrative accounts, API keys, and service accounts, or only for end users? Can you show me evidence?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
MFA for email and cloud apps (e.g., Gmail, Outlook, Microsoft 365, cloud accounting) Google Authenticator, Microsoft Authenticator, Authy (free tier); built-in OTP in Gmail, Outlook, and most cloud providers Microsoft 365 Conditional Access (included in E3 plan, ~₹2,000–4,000 per user/year); Okta (for multi-app SSO + MFA, ~₹10,000–20,000/month for small business)
Hardware security keys for admin and finance staff None (hardware costs money) YubiKey 5 (~₹4,000–5,000 per key); Google Titan Security Key (~₹4,500); Ledger Nano S (if using crypto-related systems, ~₹3,500–5,000)
MFA compliance tracking and audit logging Native audit logs in Microsoft 365 or Google Workspace; open-source tools like GLPI or OCS Inventory (self-hosted, requires technical setup) Okta System Log (~₹10,000+/month); JumpCloud (identity and device management, ~₹30–60 per user/year); BeyondTrust for privileged access (~₹15,000+/month)
🛡
How This Makes You More Resilient
When MFA is in place, stolen passwords alone no longer grant access to your email, banking, or accounting systems—a thief would also need the employee's phone or security key, which is far harder to obtain. This blocks the most common attack vector (phishing and credential theft) and makes ransomware, financial fraud, and data theft significantly slower and costlier for attackers, often causing them to move on to easier targets. Your customer trust and audit scores improve measurably, and you avoid the ₹5–50 lakh costs of a breach and recovery.
⚠️
Common Pitfalls in India
  • Relying only on SMS OTP: SMS-based OTP can be intercepted by SIM swap attacks or smishing. Move to authenticator apps (Google Authenticator, Microsoft Authenticator) or hardware keys for high-risk accounts.
  • Allowing users to disable or skip MFA: Employees often complain that MFA is inconvenient and try to bypass it; management then quietly disables it. Make it non-negotiable and invest in a recovery procedure (e.g., backup codes or a trusted admin reset) instead of allowing opt-out.
  • No fallback plan when an employee loses their phone: If you do not have a backup MFA method (backup codes, recovery email, admin override), your staff will be locked out. Document a recovery procedure and test it quarterly.
  • MFA for users but not for admins or API accounts: Attackers often target high-privilege accounts (database admins, API credentials) because one compromise gives wide access. Enforce MFA on all admins and service accounts without exception.
  • Not auditing or tracking MFA adoption: You enable it but never check who has it on; non-compliance goes unnoticed for months. Set a simple monthly check (ask your IT vendor for a compliance report) and investigate gaps.
  • Mixing MFA solutions across departments: Some use SMS, some use Google Authenticator, some have none. This creates confusion and support overhead. Pick one or two standard methods across the entire organization and document them in a policy.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (rights of data principals) and Schedule 2 (personal data protection obligations); MFA is a recognized safeguard for authentication and authorized access.
CERT-In 2022 Direction 4: All information systems handling critical data shall implement MFA for remote access and privileged accounts.
ISO 27001:2022 Annex A, Control 8.2.3 (Handling secret authentication information) and A.8.2.4 (Secure authentication); also aligns with A.8.3.2 (Use of privileged access rights).
NIST CSF 2.0 Function PR.AC-1 (Access Control Policy) and PR.AC-7 (Access is restricted based on the principle of least privilege and users are provisioned with only the access necessary to perform assigned duties); MFA is a core mechanism.

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →